Package: rkhunter Version: 1.3.0-2 Severity: normal
Hi, When running rkhunter on a system with prelink, the hash checks can fall foul of prelink's checks for sufficient diskspace. I'm not sure whether this should be considered a bug in rkhunter or in prelink... Anyway, the symptoms are that rkhunter takes ages to run, and fails to find any hashes for the binaries it's interested in. The reason is that the prelink wrapper script (which is specific to Debian) checks the free disk space and requests user confirmation if less than 50000 KB is available; the user confirmation has a 20s timeout, so rkhunter sits around waiting for prelink for 20s every time it's invoked when disk space is insufficient. 50000 KB might seem negligible by today's standards, but I use separate /, /usr etc. on all my systems and one of them recently dipped below 50000 KB on /. I haven't checked whether prelink really needs all that space to prelink binaries in / in this situation; I'll give it a shot later today. Here's an extract from rkhunter.log illustrating the problem: [11:04:24] Warning: No hash value found for file '/usr/bin/lastlog' [11:04:44] Hash command output: Partition /dev/md/0 (/) has only 49890 KB free.::!! WARNING !!:It's recommended to have at least 50000 KB of disk space.:Prelink would _really_ damage the ELF files on those partitions.::Aborting prelink. [11:05:04] Warning: No hash value found for file '/usr/bin/ldd' [11:05:24] Hash command output: Partition /dev/md/0 (/) has only 49890 KB free.::!! WARNING !!:It's recommended to have at least 50000 KB of disk space.:Prelink would _really_ damage the ELF files on those partitions.::Aborting prelink. Obviously rkhunter can't do much about this particular failure mode in prelink (other than perhaps calling prelink.bin directly if the disk space issue is irrelevant for verifications), but it would be nice if it didn't attempt to run prelink however many times after the first failure. Regards, Stephen -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (200, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.22-2-686 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages rkhunter depends on: ii debconf [debconf-2.0] 1.5.14 Debian configuration management sy ii exim4 4.67-8 meta-package to ease Exim MTA (v4) ii exim4-daemon-heavy [mail-tran 4.67-8 Exim MTA (v4) daemon with extended ii file 4.21-3 Determines file type using "magic" ii net-tools 1.60-17 The NET-3 networking toolkit ii perl 5.8.8-11.1 Larry Wall's Practical Extraction Versions of packages rkhunter recommends: ii binutils 2.18-1 The GNU assembler, linker and bina ii curl 7.17.0-1 Get a file from an HTTP, HTTPS or ii iproute 20070313-1 Professional tools to control the ii libmd5-perl 2.03-1 backwards-compatible wrapper for D ii lynx 2.8.6-2 Text-mode WWW Browser ii wget 1.10.2-3 retrieves files from the web -- debconf information: * rkhunter/apt_autogen: true * rkhunter/cron_daily_run: true * rkhunter/cron_db_update: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
